ATT&CK v16 - October 2024
The following issues are known discrepancies and non-compliance within the current ATT&CK knowledge base. +
ATT&CK v16 - October 2024
The following issues are known discrepancies and non-compliance within the current ATT&CK knowledge base. These issues reflect elements that do not conform to the Zod schemas and require changes to bring the knowledge base into full compliance. Your understanding and patience are appreciated as we work to make improvements.
ATT&CK v16 - October 2024
The following issues are known discrepancies and non-compliance within the current ATT&CK knowledge base. +
ATT&CK v16 - October 2024
The following issues are known discrepancies and non-compliance within the current ATT&CK knowledge base. These issues reflect elements that do not conform to the Zod schemas and require changes to bring the knowledge base into full compliance. Your understanding and patience are appreciated as we work to make improvements.
Asset Schema
Asset Schema
Asset
+Object containing the following properties:
+Property | Description | Type |
---|---|---|
id (*) | any | |
type (*) | 'x-mitre-asset' | |
spec_version (*) | The version of the STIX specification used to represent this object. | '2.0' | '2.1' |
created (*) | The created property represents the time at which the first version of this object was created. The timstamp value MUST be precise to the nearest millisecond. | any |
modified (*) | The modified property represents the time that this particular version of the object was modified. The timstamp value MUST be precise to the nearest millisecond. | any |
created_by_ref (*) | The created_by_ref property specifies the id property of the identity object that describes the entity that created this object. If this attribute is omitted, the source of this information is undefined. This may be used by object creators who wish to remain anonymous. | any |
labels | The labels property specifies a set of terms used to describe this object. | Array<string> |
revoked | The revoked property indicates whether the object has been revoked. | boolean |
confidence | number (int, ≥1, ≤99) | |
lang | Identifies the language of the text content in this object. | string |
external_references (*) | A list of external references which refers to non-STIX information. | Array of at least 1 objects:
|
object_marking_refs (*) | The list of marking-definition objects to be applied to this object. | Array<any> |
granular_markings | The set of granular markings that apply to this object. | Array of objects:
|
extensions | Specifies any extensions of the object, as a dictionary. | Object with dynamic keys of type string and values of type Object with properties:
string and values of type unknown (optional & nullable) |
name (*) | The name of the object. | string (min length: 1) |
x_mitre_attack_spec_version (*) | The version of the ATT&CK spec used by the object. This field helps consuming software determine if the data format is supported. If the field is not present on an object, the spec version will be assumed to be 2.0.0. Refer to the ATT&CK CHANGELOG for all supported versions. | string |
x_mitre_version (*) | Represents the version of the object in a 'major.minor' format, where both 'major' and 'minor' are integers between 0 and 99. This versioning follows semantic versioning principles but excludes the patch number. The version number is incremented by ATT&CK when the content of the object is updated. This property does not apply to relationship objects. | any |
x_mitre_old_attack_id | Old ATT&CK IDs that may have been associated with this object | string |
x_mitre_deprecated | Indicates whether the object has been deprecated. | boolean |
description | A description of the object. | string |
x_mitre_platforms | List of platforms that apply to the object. | Array<'Field Controller/RTU/PLC/IED' | 'Network' | 'Data Historian' | 'Google Workspace' | 'Office 365' | 'Containers' | 'Azure AD' | 'Engineering Workstation' | 'Control Server' | 'Human-Machine Interface' | 'Windows' | 'Linux' | 'IaaS' | 'None' | 'iOS' | 'PRE' | 'SaaS' | 'Input/Output Server' | 'macOS' | 'Android' | ...> (min: 1) |
x_mitre_domains (*) | The technology domains to which the ATT&CK object belongs. | Array<'enterprise-attack' | 'mobile-attack' | 'ics-attack'> (min: 1) |
x_mitre_contributors | People and organizations who have contributed to the object. Not found on relationship objects. | Array<string> |
x_mitre_sectors | List of industry sector(s) an asset may be commonly observed in. | XMitreSectors |
x_mitre_related_assets | Related assets describe sector specific device names or alias that may be commonly associated with the primary asset page name or functional description. Related asset objects include a description of how the related asset is associated with the page definition. | RelatedAssets |
x_mitre_modified_by_ref | The STIX ID of the MITRE identity object. Used to track the identity of the MITRE organization, which created the current version of the object. Previous versions of the object may have been created by other individuals or organizations. | any |
(*) Required.
+RelatedAsset
+Object containing the following properties:
+Property | Description | Type |
---|---|---|
name (*) | string | |
related_asset_sectors | List of industry sector(s) an asset may be commonly observed in. | XMitreSectors |
description | A description of the object. | string |
(*) Required.
+RelatedAssets
+Related assets describe sector specific device names or alias that may be commonly associated with the primary asset page name or functional description. Related asset objects include a description of how the related asset is associated with the page definition.
+Array of RelatedAsset items.
+XMitreSectors
+List of industry sector(s) an asset may be commonly observed in.
+Array of 'Electric' | 'Water and Wastewater' | 'Manufacturing' | 'Rail' | 'Maritime' | 'General'
items.
Campaign Schema
Campaign Schema
Campaign
+Object containing the following properties:
+Property | Description | Type |
---|---|---|
id (*) | any | |
type (*) | 'campaign' | |
spec_version (*) | The version of the STIX specification used to represent this object. | '2.0' | '2.1' |
created (*) | The created property represents the time at which the first version of this object was created. The timstamp value MUST be precise to the nearest millisecond. | any |
modified (*) | The modified property represents the time that this particular version of the object was modified. The timstamp value MUST be precise to the nearest millisecond. | any |
created_by_ref (*) | The created_by_ref property specifies the id property of the identity object that describes the entity that created this object. If this attribute is omitted, the source of this information is undefined. This may be used by object creators who wish to remain anonymous. | any |
labels | The labels property specifies a set of terms used to describe this object. | Array<string> |
revoked (*) | The revoked property indicates whether the object has been revoked. | boolean |
confidence | number (int, ≥1, ≤99) | |
lang | Identifies the language of the text content in this object. | string |
external_references (*) | A list of external references which refers to non-STIX information. | Array of at least 1 objects:
|
object_marking_refs (*) | The list of marking-definition objects to be applied to this object. | Array<any> |
granular_markings | The set of granular markings that apply to this object. | Array of objects:
|
extensions | Specifies any extensions of the object, as a dictionary. | Object with dynamic keys of type string and values of type Object with properties:
string and values of type unknown (optional & nullable) |
name (*) | The name of the object. | string (min length: 1) |
x_mitre_attack_spec_version (*) | The version of the ATT&CK spec used by the object. This field helps consuming software determine if the data format is supported. If the field is not present on an object, the spec version will be assumed to be 2.0.0. Refer to the ATT&CK CHANGELOG for all supported versions. | string |
x_mitre_version (*) | Represents the version of the object in a 'major.minor' format, where both 'major' and 'minor' are integers between 0 and 99. This versioning follows semantic versioning principles but excludes the patch number. The version number is incremented by ATT&CK when the content of the object is updated. This property does not apply to relationship objects. | any |
x_mitre_old_attack_id | Old ATT&CK IDs that may have been associated with this object | string |
x_mitre_deprecated (*) | Indicates whether the object has been deprecated. | boolean |
description (*) | A description of the object. | string |
x_mitre_domains (*) | The technology domains to which the ATT&CK object belongs. | Array<'enterprise-attack' | 'mobile-attack' | 'ics-attack'> (min: 1) |
x_mitre_modified_by_ref (*) | The STIX ID of the MITRE identity object. Used to track the identity of the MITRE organization, which created the current version of the object. Previous versions of the object may have been created by other individuals or organizations. | any |
x_mitre_contributors | People and organizations who have contributed to the object. Not found on relationship objects. | Array<string> |
aliases (*) | Alternative names used to identify this campaign. The first alias must match the object's name. | Array<string> |
first_seen (*) | The time that this Campaign was first seen. | any |
last_seen (*) | The time that this Campaign was last seen. | any |
x_mitre_first_seen_citation (*) | One or more citations for when the object was first seen, in the form '(Citation: [citation name])(Citation: [citation name])...', where each [citation name] can be found as one of the source_name values in the external_references. | XMitreFirstSeenCitation |
x_mitre_last_seen_citation (*) | One or more citations for when the object was last seen, in the form '(Citation: [citation name])(Citation: [citation name])...', where each [citation name] can be found as one of the source_name values in the external_references. | XMitreLastSeenCitation |
(*) Required.
+XMitreFirstSeenCitation
+One or more citations for when the object was first seen, in the form '(Citation: [citation name])(Citation: [citation name])...', where each [citation name] can be found as one of the source_name values in the external_references.
+Any type.
+XMitreLastSeenCitation
+One or more citations for when the object was last seen, in the form '(Citation: [citation name])(Citation: [citation name])...', where each [citation name] can be found as one of the source_name values in the external_references.
+Any type.
Collection Schema
Collection Schema
Collection
+Object containing the following properties:
+Property | Description | Type |
---|---|---|
id (*) | any | |
type (*) | 'x-mitre-collection' | |
spec_version (*) | The version of the STIX specification used to represent this object. | '2.0' | '2.1' |
created (*) | The created property represents the time at which the first version of this object was created. The timstamp value MUST be precise to the nearest millisecond. | any |
modified (*) | The modified property represents the time that this particular version of the object was modified. The timstamp value MUST be precise to the nearest millisecond. | any |
created_by_ref (*) | The created_by_ref property specifies the id property of the identity object that describes the entity that created this object. If this attribute is omitted, the source of this information is undefined. This may be used by object creators who wish to remain anonymous. | any |
labels | The labels property specifies a set of terms used to describe this object. | Array<string> |
revoked | The revoked property indicates whether the object has been revoked. | boolean |
confidence | number (int, ≥1, ≤99) | |
lang | Identifies the language of the text content in this object. | string |
external_references | A list of external references which refers to non-STIX information. | Array of at least 1 objects:
|
object_marking_refs (*) | The list of marking-definition objects to be applied to this object. | Array<any> |
granular_markings | The set of granular markings that apply to this object. | Array of objects:
|
extensions | Specifies any extensions of the object, as a dictionary. | Object with dynamic keys of type string and values of type Object with properties:
string and values of type unknown (optional & nullable) |
name (*) | The name of the object. | string (min length: 1) |
x_mitre_attack_spec_version (*) | The version of the ATT&CK spec used by the object. This field helps consuming software determine if the data format is supported. If the field is not present on an object, the spec version will be assumed to be 2.0.0. Refer to the ATT&CK CHANGELOG for all supported versions. | string |
x_mitre_version (*) | Represents the version of the object in a 'major.minor' format, where both 'major' and 'minor' are integers between 0 and 99. This versioning follows semantic versioning principles but excludes the patch number. The version number is incremented by ATT&CK when the content of the object is updated. This property does not apply to relationship objects. | any |
x_mitre_old_attack_id | Old ATT&CK IDs that may have been associated with this object | string |
x_mitre_deprecated | Indicates whether the object has been deprecated. | boolean |
description (*) | Details, context, and explanation about the purpose or contents of the collection. | string |
x_mitre_contents (*) | Specifies the objects contained within the collection. | XMitreContents |
(*) Required.
+ObjectVersionReference
+Object containing the following properties:
+Property | Description | Type |
---|---|---|
object_ref (*) | The ID of the referenced object. | any |
object_modified (*) | The modified time of the referenced object. It MUST be an exact match for the modified time of the STIX object being referenced. | any |
(*) Required.
+XMitreContents
+Specifies the objects contained within the collection.
+Array of at least 1 ObjectVersionReference items.
Data component Schema
Data component Schema
DataComponent
+Object containing the following properties:
+Property | Description | Type |
---|---|---|
id (*) | any | |
type (*) | 'x-mitre-data-component' | |
spec_version (*) | The version of the STIX specification used to represent this object. | '2.0' | '2.1' |
created (*) | The created property represents the time at which the first version of this object was created. The timstamp value MUST be precise to the nearest millisecond. | any |
modified (*) | The modified property represents the time that this particular version of the object was modified. The timstamp value MUST be precise to the nearest millisecond. | any |
created_by_ref (*) | The created_by_ref property specifies the id property of the identity object that describes the entity that created this object. If this attribute is omitted, the source of this information is undefined. This may be used by object creators who wish to remain anonymous. | any |
labels | The labels property specifies a set of terms used to describe this object. | Array<string> |
revoked | The revoked property indicates whether the object has been revoked. | boolean |
confidence | number (int, ≥1, ≤99) | |
lang | Identifies the language of the text content in this object. | string |
external_references | A list of external references which refers to non-STIX information. | Array of at least 1 objects:
|
object_marking_refs (*) | The list of marking-definition objects to be applied to this object. | Array<any> |
granular_markings | The set of granular markings that apply to this object. | Array of objects:
|
extensions | Specifies any extensions of the object, as a dictionary. | Object with dynamic keys of type string and values of type Object with properties:
string and values of type unknown (optional & nullable) |
name (*) | The name of the object. | string (min length: 1) |
x_mitre_attack_spec_version (*) | The version of the ATT&CK spec used by the object. This field helps consuming software determine if the data format is supported. If the field is not present on an object, the spec version will be assumed to be 2.0.0. Refer to the ATT&CK CHANGELOG for all supported versions. | string |
x_mitre_version (*) | Represents the version of the object in a 'major.minor' format, where both 'major' and 'minor' are integers between 0 and 99. This versioning follows semantic versioning principles but excludes the patch number. The version number is incremented by ATT&CK when the content of the object is updated. This property does not apply to relationship objects. | any |
x_mitre_old_attack_id | Old ATT&CK IDs that may have been associated with this object | string |
x_mitre_deprecated | Indicates whether the object has been deprecated. | boolean |
description (*) | A description of the object. | string |
x_mitre_domains (*) | The technology domains to which the ATT&CK object belongs. | Array<'enterprise-attack' | 'mobile-attack' | 'ics-attack'> (min: 1) |
x_mitre_modified_by_ref (*) | The STIX ID of the MITRE identity object. Used to track the identity of the MITRE organization, which created the current version of the object. Previous versions of the object may have been created by other individuals or organizations. | any |
x_mitre_data_source_ref (*) | STIX ID of the data source this component is a part of. | XMitreDataSourceRef |
(*) Required.
+XMitreDataSourceRef
+STIX ID of the data source this component is a part of.
+Any type.